Prevent access to nonplat_service_contexts on full_treble.

On Full Treble devices, servicemanager should only service services from the platform service_contexts file. Created new type to separate plat_ and nonplat_service_contexts, and added new type to mapping (although I don't think this type should have been used by vendors). Bug: 36866029 Test: Marlin/Taimen boot Change-Id: Ied112c64f22f8486a7415197660faa029add82d9

Prevent access to nonplat_service_contexts on full_treble.
431a03bb · Martijn Coenen · 7f7c3b82 · 431a03bb · 431a03bb · 431a03bb
Commit 431a03bb authored 7 years ago by Martijn Coenen
--- a/prebuilts/api/26.0/26.0.cil
+++ b/prebuilts/api/26.0/26.0.cil
@@ -537,7 +537,7 @@
 (typeattributeset serial_device_26_0 (serial_device))
 (typeattributeset serialno_prop_26_0 (serialno_prop))
 (typeattributeset serial_service_26_0 (serial_service))
-(typeattributeset service_contexts_file_26_0 (service_contexts_file))
+(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file))
 (typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
 (typeattributeset servicemanager_26_0 (servicemanager))
 (typeattributeset servicemanager_exec_26_0 (servicemanager_exec))

--- a/private/file_contexts
+++ b/private/file_contexts
@@ -51,7 +51,7 @@
 /sepolicy           u:object_r:sepolicy_file:s0
 /plat_service_contexts   u:object_r:service_contexts_file:s0
 /plat_hwservice_contexts   u:object_r:hwservice_contexts_file:s0
-/nonplat_service_contexts   u:object_r:service_contexts_file:s0
+/nonplat_service_contexts   u:object_r:nonplat_service_contexts_file:s0
 /nonplat_hwservice_contexts   u:object_r:hwservice_contexts_file:s0
 /vndservice_contexts   u:object_r:vndservice_contexts_file:s0

@@ -297,7 +297,7 @@

 /vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
-/vendor/etc/selinux/nonplat_service_contexts    u:object_r:service_contexts_file:s0
+/vendor/etc/selinux/nonplat_service_contexts    u:object_r:nonplat_service_contexts_file:s0
 /vendor/etc/selinux/nonplat_hwservice_contexts    u:object_r:hwservice_contexts_file:s0
 /vendor/etc/selinux/nonplat_file_contexts   u:object_r:file_contexts_file:s0
 /vendor/etc/selinux/nonplat_seapp_contexts    u:object_r:seapp_contexts_file:s0

--- a/public/file.te
+++ b/public/file.te
@@ -313,6 +313,9 @@ type sepolicy_file, file_type;
 # service_contexts file
 type service_contexts_file, file_type;

+# nonplat service_contexts file (only accessible on non full-treble devices)
+type nonplat_service_contexts_file, file_type;
+
 # hwservice_contexts file
 type hwservice_contexts_file, file_type;


--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -16,10 +16,9 @@ allow servicemanager {
  -vndservicemanager
 }:binder transfer;

-# Access to all (system and vendor) service_contexts
-# TODO(b/36866029) access to nonplat_service_contexts
-#                  should not be allowed on full treble devices
 allow servicemanager service_contexts_file:file r_file_perms;
+# nonplat_service_contexts only accessible on non full-treble devices
+not_full_treble('allow servicemanager nonplat_service_contexts_file:file r_file_perms;')

 # Check SELinux permissions.
 selinux_check_access(servicemanager)